Files
Arch-R/projects/ArchR/packages/security/pinentry/package.mk
T
Douglas Teles 199e9a5ee4 security: bump gnupg to 2.4.8, add libksba/npth/pinentry deps
Live diagnostic on a R36S running the 20260624 image showed:

  archr:~ # gpg --version | head -1
  gpg (GnuPG) 1.4.23
  archr:~ # gpg --list-packets /usr/share/pacman/keyrings/archr.gpg
  :public key packet:
      ...
      unknown algorithm 22

GPG 1.4 is the "classic" branch, frozen before Ed25519 (algorithm 22)
was added in 2.1.x (2014). pacman-key 7.x also calls into gpg with
--check-signatures, a 2.x-only flag. With the ArchR master subkey
being Ed25519 the legacy 1.4 binary can neither parse nor verify the
keyring, so pacman -Sy fails with "no valid user IDs" and "signature
... is invalid" no matter how the user populates the keyring.

Fix the build, not the key. JELOS-era pacman packages cap GnuPG at
1.4.23 because that's the minimal-deps branch; ArchR is now an
Arch-family distro that ships pacman 7 as the user-facing update path,
so it has to ship the modern GnuPG runtime that pacman expects.

New packages:
- libksba 1.8.0
- npth 1.8
- pinentry 1.3.2 (built with --enable-pinentry-tty/curses only;
  the GUI variants would pull GTK/Qt that the handheld doesn't have)

Updated:
- gnupg 1.4.23 -> 2.4.8 (latest LTS branch)
  Configure trims to the bits pacman uses: gpg + gpgsm + gpgconf.
  scdaemon, dirmngr, tofu, wks, gpg-card and the historical 1.4-era
  ciphers (idea/cast5/md5/rmd160) are disabled to keep the image lean.
  pinentry-tty is the configured pinentry program, since the handheld
  has no graphical desktop session to use the other variants.

libassuan, libgcrypt and libgpg-error already live in projects/ArchR/
packages/security/ from earlier work — no new dep tree there.

This unblocks the pacman pipeline on R36S: archr-keyring populate will
parse the Ed25519 master, signature verification will accept the
ArchR-signed archr.db, and pacman -Sy lands at the package list.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-24 01:59:24 -03:00

26 lines
1.1 KiB
Makefile

# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (C) 2026-present ArchR
PKG_NAME="pinentry"
PKG_VERSION="1.3.2"
PKG_SHA256="8e986ed88561b4da6e9efe0c54fa4ca8923035c99264df0b0464497c5fb94e9e"
PKG_LICENSE="GPL"
PKG_SITE="https://gnupg.org/"
PKG_URL="https://gnupg.org/ftp/gcrypt/pinentry/pinentry-${PKG_VERSION}.tar.bz2"
PKG_DEPENDS_TARGET="toolchain libgpg-error libassuan"
PKG_LONGDESC="Passphrase entry helpers used by GnuPG 2.x. ArchR ships only the
TTY/curses variants; the GUI ones (gnome3, qt5, gtk2, fltk) would pull
desktop dependencies that the handheld doesn't have."
PKG_CONFIGURE_OPTS_TARGET="--enable-pinentry-tty \
--enable-pinentry-curses \
--disable-pinentry-emacs \
--disable-pinentry-gnome3 \
--disable-pinentry-gtk2 \
--disable-pinentry-qt \
--disable-pinentry-qt5 \
--disable-pinentry-fltk \
--disable-rpath \
--without-libcap \
--without-libsecret"